Refactor OIDC tests to better mimic an actual OIDC provider

Instead of constantly mocking the internal methods of the OIDC handler, it now mocks HTTP responses
matrix-org · Sep 22, 2022 · 865390f · 865390f
1 parent 0d33dd9
commit 865390f
Show file tree

Hide file tree

Showing 2 changed files with 531 additions and 302 deletions.
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
@@ -44,7 +44,7 @@
     MacaroonInitException,
     MacaroonInvalidSignatureException,
 )
-from typing_extensions import TypedDict
+from typing_extensions import NotRequired, TypedDict
 
 from twisted.web.client import readBody
 from twisted.web.http_headers import Headers
@@ -95,10 +95,10 @@
 class Token(TypedDict):
     access_token: str
     token_type: str
-    id_token: Optional[str]
-    refresh_token: Optional[str]
+    id_token: NotRequired[str]
+    refresh_token: NotRequired[str]
     expires_in: int
-    scope: Optional[str]
+    scope: NotRequired[str]
 
 
 #: A JWK, as per RFC7517 sec 4. The type could be more precise than that, but
@@ -367,6 +367,7 @@ def __init__(
         provider: OidcProviderConfig,
     ):
         self._store = hs.get_datastores().main
+        self._clock = hs.get_clock()
 
         self._macaroon_generaton = macaroon_generator
 
@@ -847,7 +848,9 @@ async def _verify_jwt(
 
         logger.debug("Decoded JWT (%s) %r; validating", claims_cls.__name__, claims)
 
-        claims.validate(leeway=120)  # allows 2 min of clock skew
+        claims.validate(
+            now=self._clock.time(), leeway=120
+        )  # allows 2 min of clock skew
         return claims
 
     async def _parse_id_token(self, token: Token, nonce: str) -> CodeIDToken:
@@ -862,7 +865,7 @@ async def _parse_id_token(self, token: Token, nonce: str) -> CodeIDToken:
         Returns:
             The decoded claims in the ID token.
         """
-        id_token = token["id_token"]
+        id_token = token.get("id_token")
 
         # That has been theoritically been checked by the caller, so even though
         # assertion are not enabled in production, it is mainly here to appease mypy
@@ -1294,8 +1297,8 @@ async def handle_backchannel_logout(
         # `user_id`. Hence, we have to iterate over the list of devices and log them out
         # one by one.
         for device in devices:
-            user_id = device["user_id"]
-            device_id = device["device_id"]
+            user_id: str = device["user_id"]
+            device_id: str = device["device_id"]
 
             # If the user_id associated with that device/session is not the one we got
             # out of the `sub` claim, skip that device and show log an error.